
    <!DOCTYPE HTML>
    <html lang="en" data-template="post-page">
    <head>
        
    <meta charset="UTF-8"/>
    <title>Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability </title>
    <meta name="keywords" content="mirai botnet,ransomware,FortiGuards Labs,Threat Research,vmware,malware analysis"/>
    <meta name="description" content="In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and the behavior after exploitation in more detail."/>
    <meta name="template" content="post-page"/>
    

    <meta name="viewport" content="width=device-width, initial-scale=1"/>


<meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/>

<meta property="og:site_name" content="Fortinet Blog"/>
<meta property="og:title" content="Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability "/>
<meta property="og:url" content="https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and t…"/>
<meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/vmware-vuln-cve-malware-hero.jpg"/>

<meta property="twitter:card" content="summary"/>
<meta property="twitter:site" content="@Fortinet"/>

<meta property="article:author" content="Cara Lin"/>

    <meta property="article:section" content="Threat Research"/>


    <meta property="article:published_time" content="2022-10-20T20:23:00.000-07:00"/>


    <meta property="article:tag" content="mirai botnet"/>

    <meta property="article:tag" content="ransomware"/>

    <meta property="article:tag" content="FortiGuards Labs"/>

    <meta property="article:tag" content="vmware"/>

    <meta property="article:tag" content="malware analysis"/>


<link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/>







    
<link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.css" type="text/css">






<!-- SEO Script -->




<!-- OneTrust Cookies Consent Notice start for fortinet.com -->



    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script>
    <script type="text/javascript">

function OptanonWrapper() {
    {
       try{
            $('#cookiescript_injected').remove(); // remove old cookie script
        }catch(e){}
        window.dataLayer.push({
            event: 'OneTrustGroupsUpdated'
        });
        Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true);
    }
}

</script>


<!-- OneTrust Cookies Consent Notice end for fortinet.com -->
    
    
    

    
    

    
    
    
    

    

    

    

    

    


        
            
            
                
                <!-- BE IXF: BE IXF: Place getHeadOpen just inside of the head tag -->
                
                
<!-- be_ixf, sdk, gho-->
<meta name="be:sdk" content="java_sdk_1.6.2" />
<meta name="be:timer" content="46ms" />
<meta name="be:norm_url" content="https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability" />
<meta name="be:capsule_url" content="https://ixfd-api.bc0a.com/api/ixf/1.0.0/get_capsule/f00000000216283/1918760439" />
<meta name="be:api_dt" content="pny_2022; pnm_11; pnd_07; pnh_22; pnmh_08; pn_epoch:1667887739338" />
<meta name="be:mod_dt" content="pny_1969; pnm_12; pnd_31; pnh_16; pnmh_00; pn_epoch:0" />
<meta name="be:orig_url" content="https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability" />
<meta name="be:messages" content="103980" /><style>
.be-ix-link-block{clear:both}
.be-ix-link-block .be-related-link-container{padding-bottom:20px}
.be-ix-link-block .be-related-link-container .be-label,.be-ix-link-block .be-related-link-container .be-list{font-size:.7619rem;font-family:"HelveticaNeueW01-75Bold",Helvetica,Arial,sans-serif}
.be-ix-link-block .be-related-link-container .be-label{margin:0;color:#5a646c}
.be-ix-link-block .be-related-link-container .be-list{list-style:none;margin:0;padding:0}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{margin:0;padding:0;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif;font-size:.7619rem}
.be-ix-link-block .be-related-link-container .be-list .be-list-item a{color:#5a646c;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif}
@media (max-width: 767px) {
.be-ix-link-block .be-related-link-container{padding:0 10px}
.be-ix-link-block .be-related-link-container .be-label{width:100%}
.be-ix-link-block .be-related-link-container .be-list{display:block;width:100%}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:block}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-bottom:0}
}
@media (min-width: 768px) {
.be-ix-link-block .be-related-link-container{display:flex}
.be-ix-link-block .be-related-link-container .be-label{display:inline-block;margin-right:20px;flex-basis:130px;flex-grow:0;flex-shrink:0}
.be-ix-link-block .be-related-link-container .be-list{display:inline-block;width:auto}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:inline-block;margin-right:20px}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-right:0}
}
</style>


<script data-cfasync="false" id="marvel" data-customerid="f00000000216283" src="https://marvel-b2-cdn.bc0a.com/marvel.js"></script>

            
        

    </head>
    <body>
    



    
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="b1-header aem-GridColumn aem-GridColumn--default--12">


<header class="b1-header__container">
    <div class="b1-header__logo">
        <a href="https://www.fortinet.com">
            
            <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
            <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
        </a>
    </div>

    <div class="b1-header__cta-list">
      <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog">
          <span>Blog</span>
      </a>
    </div>

    <div class="b1-header__nav"><div class="b2-navigation">




    <ul class="b2-navigation__list">
        
            <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div>
                <ul class="navdropdown">
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology">
                                <span>Business &amp; Technology </span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research">
                                <span>Threat Research</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends">
                                <span>Industry Trends</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/partners">
                                <span>Partners</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories">
                                <span>Customer Stories</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs">
                                <span>PSIRT Blogs</span>
                            </a>
                        </li>
                    
                </ul>
            </li>

        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/business-and-technology">
                    <span>Business &amp; Technology </span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/threat-research">
                    <span>Threat Research</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/industry-trends">
                    <span>Industry Trends</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/partners">
                    <span>Partners</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/customer-stories">
                    <span>Customer Stories</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/psirt-blogs">
                    <span>PSIRT Blogs</span>
                </a>
            </li>
        
        
        
            <li>
                <a class="b2-navigation__list-item false" href="/blog/ciso-collective">
                    <span>CISO Collective</span>
                </a>
            </li>
        
    </ul>


    

</div>
</div>

    <div id="blog-site-search" class="b1-header__search" aria-expanded="false"><div class="b3-searchbox">


<form class="b3-searchbox__form" action="/blog/search" method="get">
    <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/>
    <button class="b3-searchbox__icon" aria-label="Search" type="submit">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff">
        </path>
    </svg>

    </button>
</form>


    

</div>
</div>

    <button class="b1-header__search-toggle" aria-controls="blog-site-search" aria-label="Search">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z">
        </path>
    </svg>

        <div class="b1-header__search-toggle-close">
            <span class="b1-header__search-toggle-close-line"></span>
            <span class="b1-header__search-toggle-close-line"></span>
        </div>
    </button>

    <div class="b1-header__nav-toggle" aria-hidden="true">
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
    </div>
</header>

    

</div>
<section class="b4-hero aem-GridColumn aem-GridColumn--default--12">



<div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/vmware-vuln-cve-malware-hero.jpg);">
    <img class="ratio" alt="Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability " aria-hidden="true" src=""/>
    <div class="b4-hero__text text-container">
        <p data-ly-test class="b4-hero__kicker">Threat Research</p>
        
        
        <h1 class="b4-hero__headline">Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability </h1>
        
    </div>
</div>
</section>
<section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12">

<div class="b15-blog-meta__container text-container">
    <span>By </span>

    <span class="b15-blog-meta__author">

        
					

                        

                                  
                                      
                                            
                                              <a href="/blog/search?author=Cara+Lin">Cara Lin</a>
                                          
                                          
                                           
                                      
                                  
                          
                    
        
    </span>
    <span class="b15-blog-meta__">
        

              </span>



    <span class="b15-blog-meta__date"> | October 20, 2022</span>
</div>
</section>
<div class="responsivegrid aem-GridColumn aem-GridColumn--default--12">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"></div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In April, VMware patched a vulnerability <a href="https://www.vmware.com/security/advisories/VMSA-2022-0011.html" target="_blank">CVE-2022-22954</a>. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published <a href="https://www.fortiguard.com/threat-signal-report/4496/newly-patched-vmware-vulnerability-cve-2022-22954-being-exploited-in-the-wild" target="_blank">Threat Signal Report</a> about it and also developed IPS signature in April.</p>
<p>We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had the intention of deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRaR to deploy encryption, and GuardMiner that is a variant of xmrig used to “mine” Monero.</p>
<p>In this blog, we will elaborate on how these malware leveraged the VMware vulnerability and the behavior after exploitation in more detail.</p>
<p style="margin-left: 40.0px;"><b>Affected platforms: </b>VMware Workspace ONE Access and Identity Manager<br />
<b>Impacted parties: </b>VMware users<br />
<b>Impact: </b>Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands<br />
<b>Severity level: </b>Critical</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image.img.png/1666301526862/fig1.png" alt="Figure 1 CVE-2022-22954 Activity"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 1 CVE-2022-22954 Activity</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>Mirai Variant</h2>
<p>The complete payload from Mirai is shown in Figure 2, it enters temp directory and downloads Mirai variant from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64, then executes with parameter “VMware”.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1264119574.img.png/1666301551681/fig2.png" alt="Figure 2 Attacking traffic capture"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 2 Attacking traffic capture</span>


    

</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1804711136.img.png/1666301566204/fig3.png" alt="Figure 3 Decoded command"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 3 Decoded command</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Like most Mirai botnets, this variant’s main jobs include deploying DoS and launching a brute force attack. We can decode part of the configuration after we XOR the data with 0x54 and get C2 server is “cnc[.]goodpackets[.]cc”. Following is the decoded strings:</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_207390923.img.png/1666301704477/fig4.png" alt="Figure 4 Decoded configuration string"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 4 Decoded configuration string</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>We also identify the brute force function with encoded account and password strings:</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_479804056.img.png/1666301730137/fig5.png" alt="Figure 5 Functions for brute force attack"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 5 Functions for brute force attack</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>The decoded passwords are listed below, they are commonly used passwords and also some default credentials for well-known IoT devices:</p>


</div>
<div class="cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3">
  <table border="1" cellspacing="0" cellpadding="0" width="574">
<tbody><tr><td width="144"><p style="text-align: center;">hikvision</p>
</td>
<td width="144"><p style="text-align: center;">1234</p>
</td>
<td width="144"><p style="text-align: center;">win1dows</p>
</td>
<td width="144"><p style="text-align: center;">S2fGqNFs</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">root</p>
</td>
<td width="144"><p style="text-align: center;">tsgoingon</p>
</td>
<td width="144"><p style="text-align: center;">newsheen</p>
</td>
<td width="144"><p style="text-align: center;">12345</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">default</p>
</td>
<td width="144"><p style="text-align: center;">solokey</p>
</td>
<td width="144"><p style="text-align: center;">neworange88888888</p>
</td>
<td width="144"><p style="text-align: center;">guest</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">bin</p>
</td>
<td width="144"><p style="text-align: center;">user</p>
</td>
<td width="144"><p style="text-align: center;">neworang</p>
</td>
<td width="144"><p style="text-align: center;">system</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">059AnkJ</p>
</td>
<td width="144"><p style="text-align: center;">telnetadmin</p>
</td>
<td width="144"><p style="text-align: center;">tlJwpbo6</p>
</td>
<td width="144"><p style="text-align: center;">iwkb</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">141388</p>
</td>
<td width="144"><p style="text-align: center;">123456</p>
</td>
<td width="144"><p style="text-align: center;">20150602</p>
</td>
<td width="144"><p style="text-align: center;">00000000</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">adaptec</p>
</td>
<td width="144"><p style="text-align: center;">20080826</p>
</td>
<td width="144"><p style="text-align: center;">vstarcam2015</p>
</td>
<td width="144"><p style="text-align: center;">v2mprt</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">Administrator</p>
</td>
<td width="144"><p style="text-align: center;">1001chin</p>
</td>
<td width="144"><p style="text-align: center;">vhd1206</p>
</td>
<td width="144"><p style="text-align: center;">support</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">NULL</p>
</td>
<td width="144"><p style="text-align: center;">xc3511</p>
</td>
<td width="144"><p style="text-align: center;">QwestM0dem</p>
</td>
<td width="144"><p style="text-align: center;">7ujMko0admin</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">bbsd-client</p>
</td>
<td width="144"><p style="text-align: center;">vizxv</p>
</td>
<td width="144"><p style="text-align: center;">fidel123</p>
</td>
<td width="144"><p style="text-align: center;">dvr2580222</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">par0t</p>
</td>
<td width="144"><p style="text-align: center;">hg2x0</p>
</td>
<td width="144"><p style="text-align: center;">samsung</p>
</td>
<td width="144"><p style="text-align: center;">t0talc0ntr0l4!</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">cablecom</p>
</td>
<td width="144"><p style="text-align: center;">hunt5759</p>
</td>
<td width="144"><p style="text-align: center;">epicrouter</p>
</td>
<td width="144"><p style="text-align: center;">zlxx</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">pointofsale</p>
</td>
<td width="144"><p style="text-align: center;">nflection</p>
</td>
<td width="144"><p style="text-align: center;">admin@mimifi</p>
</td>
<td width="144"><p style="text-align: center;">xmhdipc</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">icatch99</p>
</td>
<td width="144"><p style="text-align: center;">password</p>
</td>
<td width="144"><p style="text-align: center;">daemon</p>
</td>
<td width="144"><p style="text-align: center;">netopia</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">3com</p>
</td>
<td width="144"><p style="text-align: center;">DOCSIS_APP</p>
</td>
<td width="144"><p style="text-align: center;">hagpolm1</p>
</td>
<td width="144"><p style="text-align: center;">klv123</p>
</td>
</tr><tr><td width="144"><p style="text-align: center;">OxhlwSG8</p>
</td>
<td width="144" style="text-align: center;"> </td>
<td width="144" style="text-align: center;"> </td>
<td width="144"><p> </p>
</td>
</tr></tbody></table>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>After being executed, the variant shows hardcoded string “InfectedNight did its job”, and sends heartbeat along with parameter “VMware”, then it will wait for further commands from C2 server. Below is the traffic session from heartbeat and brute force attack. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_7309056.img.png/1666301863667/fig6.png" alt="Figure 6 Heartbeat traffic capture"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 6 Heartbeat traffic capture</span>


    

</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_580181920.img.png/1666302348267/fig7.png" alt="Figure 7 Brute force attack session"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 7 Brute force attack session</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>Initialization Script for RAR1Ransom and GuardMiner</h2>
<p>Another noticeable payload is from 67[.]205[.]145[.]142. It contains two sessions, each has different commands depending on the victim’s operation system. One leveraged PowerShell to download “init.ps1”, the other uses curl, wget, and urlopen in Python library to download “init.sh”.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_993645055.img.png/1666302428439/fig8.png" alt="Figure 8 Attack traffic capture for Windows"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 8 Attack traffic capture for Windows</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"><p class="cq-text-placeholder-ipe" data-emptytext="Text">
  
</p>
</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_2136078255.img.png/1666302453392/fig9.png" alt="Figure 9 Attack traffic capture for Linux"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 9 Attack traffic capture for Linux</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>From the PowerShell script file “init.ps1”, it includes a few links to cloudflare-ipfs[.]com for further attack and each file has its own backup link to crustwebsites[.]net. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_2134249866.img.png/1666302492815/fig10.png" alt="Figure 10 Download links in init.ps1"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 10 Download links in init.ps1</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>There are 7 files for initialization:</p>
<ul>
<li>phpupdate.exe: Xmrig Monero mining software</li>
<li>config.json: Configuration file for mining pools</li>
<li>networkmanager.exe: Executable used to scan and spread infection</li>
<li>phpguard.exe: Executable used for guardian Xmrig miner to keep running</li>
<li>init.ps1: Script file itself to sustain persistance via creating scheduled task</li>
<li>clean.bat: Script file to remove other cryptominers on the compromised host</li>
<li>encrypt.exe: RAR1 ransomware</li>
</ul>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1764865810.img.png/1666302607823/fig11.png" alt="Figure 11 &#34;start encrypt&#34; section in init.ps1"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 11 &#34;start encrypt&#34; section in init.ps1</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In the “start encrypt” section shown in Figure 11, it first checks “flag_encrypt.flag” before launching RAR1ransom, if the flag file existed and the “encrypt.exe” was also download before, it will delete “encrypt.exe” and go to the next stage. Otherwise, it checks the file size to determine if the file path should be updated or not. Finally, it executes the ransomware after checking process. The detail of RAR1 ransomware will be elaborated in the next section.</p>
<p>Then, the script starts the GuardMiner attack. GuardMiner is a cross-platform mining Trojan, which has been active since 2020. And FortiGuard Labs has a detailed <a href="https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-guardminer-operation-disclosed.pdf">report</a> covering it. In this version, it also drops the script file “init.sh” for Linux system. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1231062517.img.png/1666302648746/fig12.png" alt="Figure 12 “init.sh” for Linux"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 12 “init.sh” for Linux</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>We also noticed that GuardMiner updates “networkmanager.exe” with the more recently vulnerability. From the name of each exploit module, it might collect the exploit list from <a href="https://github.com/chaitin/xray/releases" target="_blank">Chaitin Tech Github</a> which is for security testing purposes.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_219188077.img.png/1666302717992/fig13.png" alt="Figure 13 rdata section contains vulnerability list in networkmanager.exe"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 13 rdata section contains vulnerability list in networkmanager.exe</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>We extract the complete vulnerability list below:</p>


</div>
<div class="cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3">
  <table border="1" cellspacing="0" cellpadding="0" width="516">
<tbody><tr><td width="238" valign="top"><p style="text-align: center;">eyou-email-system-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">maccms-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">thinkphp5-controller-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">seacms-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">terramaster-tos-rce-cve-2020-28188</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">spon-ip-intercom-ping-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">thinkphp5023-method-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">yonyou-grp-u8-sqli-to-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">yccms-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">gitlist-rce-cve-2018-1000533</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">phpunit-cve-2017-9841-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">pandorafms-cve-2019-20224-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">yonyou-nc-bsh-servlet-bshservlet-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">CVE-2022-22947-spring-clond-Gateway-RCE</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">CVE-2022-22954-VMware-RCE</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">amtt-hiboss-server-ping-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">inspur-tscev4-cve-2020-21224-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">dlink-dsl-2888a-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">phpstudy-backdoor-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">Confluence-CVE-2022-26134</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">seacms-before-v992-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">apache-flink-upload-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">dedecms-cve-2018-7700-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">solr-velocity-template-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">webmin-cve-2019-15107-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">jumpserver-unauth-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">Hotel-Internet-Manage-RCE</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">drupal-cve-2018-7600-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">seacms-v654-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">S2-045-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">tamronos-iptv-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">ecshop-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">satellian-cve-2020-7980-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">opentsdb-cve-2020-35476-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">zeroshell-cve-2019-12725-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">struts2-062-cve-2021-31805-rce</p>
</td>
</tr><tr><td width="238" valign="top"><p style="text-align: center;">dlink-cve-2019-16920-rce</p>
</td>
<td width="278" valign="top"><p style="text-align: center;">h3c-imc-rce</p>
</td>
</tr></tbody></table>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>RAR1Ransom</h2>
<p>RAR1ransom drops “rar.exe” in C:/Windows/Temp folder which is legitimate WinRaR software to compress a victim’s files with a password. It uses several default options in WinRaR to complete the encryption for efficiency, we can locate these processes from Process Explorer in Figure 14.</p>


</div>
<div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1898462131.img.png/1666302801046/fig14.png" alt="Figure 14 Processes while RAR1Ransom encrypted files"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 14 Processes while RAR1Ransom encrypted files</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>The whole command is below, options “df” and “m0” mean delete files after adding files to archive without compression, “mt10” means it will use ten threads, and “ep” means exclude path from name. The “hp” is to encrypt both file data and headers with password.</p>
<p><span style="font-size: 12.0pt;"><span style="font-family: Calibri , sans-serif;"><i>C:/Windows/Temp/rar.exe a <span style="color: red;">-df -m0 -mt10 -ep -hp</span>VbDsLHSfbomQiQ6YuP7m1ZaNP0LQqYpzrkjwvuNSjsnQlicOxNPi0iKzKeQO1Besbpbx1iKWNeOfFQDEw8qaoAGmN1Nx9i0vbUcr &quot;C:/Python27/Lib/json/MVXGG33EMVZC44DZ.rar1&quot; &quot;C:/Python27/Lib/json/MVXGG33EMVZC44DZ&quot;</i></span></span></p>
<p>RAR1Ransom targets a compromised victim’s file with particular extensions as in Figure 15. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_792615869.img.png/1666302963060/fig15.png" alt="Figure 15 Target file extension"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 15 Target file extension</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>All the encrypted files will have an unique filename and “.rar1” extension, and it drops a text file “READ_TO_DECRYPT.txt” in the same folder with message in Figure 17.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1792788837.img.png/1666302992134/fig16.png" alt="Figure 16 Encrypted files"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 16 Encrypted files</span>


    

</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1555396000.img.png/1666303011690/fig17.png" alt="Figure 17 Ransom note"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 17 Ransom note</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>From the wallet string in the ransom note, which is identical with the one in the miner’s configuration shown in Figure 17. We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability/_jcr_content/root/responsivegrid/image_1576004924.img.png/1666303040733/fig18.png" alt="Figure 18 Configuration”config.json” for GuardMiner"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 18 Configuration”config.json” for GuardMiner</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>Conclusion</h2>
<p>Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it. Users should always keep systems updated and patched and be aware of any suspicious process in environment. These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving. FortiGuard Labs will continue to monitor and provide the latest updates.</p>
<h2>Fortinet Protections</h2>
<p>Fortinet released <a href="https://www.fortinet.com/products/ips">IPS</a> signature VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution for CVE-2022-22954 to proactively protect our customers. The signature is officially released in IPS definition version 20.297.   </p>
<p>The scripts and malwares are detected and blocked by FortiGuard Antivirus, and FortiEDR services:</p>
<p style="margin-left: 40.0px;">Adware/Miner<br />
W32/PossibleThreat<br />
Riskware/Agent<br />
BASH/CoinMiner.RZ!tr<br />
PowerShell/CoinMiner.BW!tr<br />
ELF/GuardMiner.A!tr<br />
W64/GuardMiner.A!tr<br />
BAT/Cleaner.CC41!tr<br />
</p>
<h2>IOCs</h2>
<h3><span style="font-weight: normal;">SHA256:</span></h3>
<p>66db83136c463441ea56fb1b5901c505bcd1ed52a73e23d7298f7055db2108d1<br />
4761e5d9bd3ebe647fbd7840b7d2d9c1334bde63d5f6b05a4ed89af7aa3a6eab<br />
9c00823295f393358762542418bb767b44cfe285c4ab33e7e57902c6e1c2dacb<br />
23270d23f8485e3060f6ea8c9879177781098b1ed1b5117579d2f4d309aeffd2<br />
4b3578ee9e81f356a89ff2e1aff6bbee8441472869b0c6c4792fc9fd486a0df5<br />
0212b447c25e9db55f7270e1e2a45846e2261445474845997a314cb1ddeea4f7<br />
a372e07a691f8759e482615fd7624bfca2a2bc2cd8652a47ff9951ff035759a5<br />
f2a6827ea5f60cefc2f6528269b2d1557a7cc1e68f84edca4029e819dd0509cb<br />
4b4c0d3cb708612b1fdb0394e029e507e4c0f6136fc44e415200694624ed5b68<br />
7fc7c242ad1fa439e515725561a9e304b3d94e40ba91f61df77471a4c2ff2b39</p>
<p><i>Learn more about Fortinet’s <a href="https://www.fortinet.com/fortiguard/labs?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=fortiguard-labs">FortiGuard Labs</a> threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services <a href="https://www.fortinet.com/solutions/enterprise-midsize-business/security-as-a-service/fortiguard-subscriptions?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=fortiguard-subscriptions">portfolio</a>. <a href="https://www.fortinet.com/blog/threat-research?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=threat-research">Sign up</a> to receive our threat research blogs.</i></p>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><div id="om-b2dxtopzidsdt3fkzfsv-holder"></div></div>
</div>

    
</div>
</div>
<div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12">



  <div class="b16-blog-tags__container text-container" style="display:none">
    <span class="b16-blog-tags__headline">Tags:</span>
    <p class="b16-blog-tags__tag-links">
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=mirai-botnet">mirai botnet</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=ransomeware">ransomware</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=fortiguards-labs">FortiGuards Labs</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=vmware">vmware</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=malware-analysis">malware analysis</a>
    </p>
  </div>

</div>
<section class="b12-related aem-GridColumn aem-GridColumn--default--12">




<div class="b12-related__container text-container">
    

    
    
    <h3>Related Posts</h3>
    <div class="b12-related__posts">
        
        <a href="/blog/threat-research/fortiguard-labs-discovers-multiple-dotcms-vulnerabilities" class="b12-related__post b12-related__post-0">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/fg-labs-discover-dotcms-vuln-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Fortinet’s FortiGuard Labs Discovers Multiple dotCMS Vulnerabilities" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">Fortinet’s FortiGuard Labs Discovers Multiple dotCMS Vulnerabilities</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/fortiguard-labs-researcher-discovers-vulnerabilities-in-multiple-autodesk-products" class="b12-related__post b12-related__post-1">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/autodesk-vuln-research-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/microsoft-exchange-zero-day-vulnerability-updates" class="b12-related__post b12-related__post-2">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/microsoft-exchange-vuln-zero-day-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Microsoft Exchange 0-Day Vulnerability Updates" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">Microsoft Exchange 0-Day Vulnerability Updates</h5>
            </div>
        </a>
    
    </div>
</div>


</section>
<div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12">


<div class="b13-comment-section__container text-container">


  <!--data-sly-test="true - got replaced with false to disable the discussion event-->
  
</div>
</div>
<div class="b6-footer aem-GridColumn aem-GridColumn--default--12">


  

  <div class="b6-footer__container text-container">
    <div class="b6-footer__footer-info">
      <div class="b6-footer__logo">
        <a href="https://www.fortinet.com" target="_blank">
          <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/>
        </a>
      </div>
      <div class="b6-footer__social-footer">
        <ul>
          
            <li class="social-icon facebook">
              <a href="https://www.facebook.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon twitter">
              <a href="https://www.twitter.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 19 15" xmlns="http://www.w3.org/2000/svg">
        <path d="M18.17 2.296c-.652.296-1.354.49-2.082.584.745-.448 1.32-1.16 1.59-2.014-.702.423-1.48.72-2.3.89-.67-.73-1.61-1.152-2.675-1.152-1.988 0-3.613 1.625-3.613 3.63 0 .288.034.567.093.83-3.012-.153-5.694-1.6-7.48-3.792-.313.534-.49 1.16-.49 1.82 0 1.26.634 2.377 1.616 3.012-.61 0-1.16-.17-1.65-.423v.03c0 1.76 1.25 3.237 2.91 3.567-.31.084-.63.127-.96.127-.23 0-.46-.026-.68-.07.455 1.43 1.784 2.497 3.383 2.52-1.235.984-2.8 1.56-4.51 1.56-.288 0-.575-.018-.863-.05 1.61 1.03 3.52 1.632 5.57 1.632 6.667 0 10.33-5.534 10.33-10.332 0-.16 0-.313-.007-.474.71-.508 1.32-1.15 1.81-1.888z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon youtube">
              <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank">
                
    <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg">
        <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon linkedin">
              <a href="https://www.linkedin.com/company/fortinet" target="_blank">
                
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon instagram">
              <a href="https://www.instagram.com/behindthefirewall/" target="_blank">
                
    <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
        <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7
          c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7
          c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5
          c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1
          c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1
          c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6
          C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7
          c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7
          c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7
          c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5
          s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle>
    </svg>

              </a>
            </li>
          
            <li class="social-icon rss">
              <a href="https://www.fortinet.com/rss-feeds.html" target="_blank">
                
    <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
        </ul>
      </div>
    </div>
    <div class="b6-footer__footer-links">
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">News &amp; Articles</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/contact-us/fortinet-trademark-guidelines.html" target="_self">Trademarks</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Security Research</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a>
              </li>
            
              <li>
                <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a>
              </li>
            
              <li>
                <a href="https://secure.fortinet.com/fortiguard" target="_blank">Threat Briefs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Connect With Us</h4>
          <ul>
            
              <li>
                <a href="/content/fortinet-blog/us/en" target="_self">Blog</a>
              </li>
            
              <li>
                <a href="https://fusecommunity.fortinet.com" target="_self">Fuse Community</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Company</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/why-fortinet" target="_blank">Why Fortinet</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/security-fabric" target="_self">Security Fabric</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_self">Certifications</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a>
              </li>
            
          </ul>
        </div>
      
      <div class="b6-footer__contact-info">
        <h4 class="b6-footer__header">Contact Us</h4>
        <ul>
          <li>(866) 868-3678</li>
        </ul>
      </div>
    </div>
    <div class="b6-footer__copyright">
      <div class="b6-footer__copyright-info">
        <p class="b6-footer__copyright-text">Copyright © 2022 Fortinet, Inc. All Rights Reserved</p>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a>
        
        <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span>
      </div>
    </div>
  </div>

<!-- Launch COnfiguration -->


<!-- END Launch COnfiguration --></div>

    
</div>
</div>


    
    
    

    
    
<script type="text/javascript" src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.js"></script>





    



    
        
            <!-- BE IXF: The following <div> block needs to be placed in the location where the link block will be displayed
                        BE IXF: For your website, the location is above/below ...-->
            <div class="brightedge-wrapper">
                <div class="wrap footerwrap">
                    <div class="be-ix-link-block be-ix-link-block-blog">
                        <div class="be-related-link-container"><div class="be-label">Also of Interest</div><ul class="be-list"><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/why-ztna-in-the-cloud-isnt-enough">Why ZTNA in the Cloud Isn&#39;t Enough</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/worlds-number-one-network-firewall-delivers-powerful-networking-solutions">Converging NOC &amp; SOC starts with FortiGate</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/ciso-collective/top-security-threats-for-government">DOJ &amp; Top Security Threats</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/industry-trends/paying-ransomware">Pay Ransomware Settlements?</a></li></ul></div>
<!--
   be_sdkms_pub:link-block; link-block_1.0.0.0; bodystr;
   be_sdkms_date_modified:pn_tstr:Mon Nov 07 22:08:59 PST 2022; pn_epoch:1667887739338;
   be_sdkms_timer: 0;
-->

                        
                    </div>
                </div></div>
         <!-- Condition close for mode check -->
    
    

    </body>
    </html>
